Libnids IP Fragmentation Remote NULL Pointer Dereference

The designer of the popular library Rafal Wojtczuk (also known as nergal) discovered this vulnerability as we can read in the release notes of the 1.2.4 version of the library available here. As the release notes state, the vulnerability is located at src/ip_fragment.c and here is the equivalent code from 1.23 version of the library…

You can read from the comment the aim of this routine. The ‘while’ loop will iterate as long as integer ‘ip_frag_mem’ is larger than ‘IPFRAG_LOW_THRESH’ which is defined in the same source code file like this:

/*
Fragment cache limits. We will commit 256K at one time. Should we
cross that limit we will prune down to 192K. This should cope with
even the most extreme cases without allowing an attacker to
measurably harm machine performance.
*/
#define IPFRAG_HIGH_THRESH (256*1024)
#define IPFRAG_LOW_THRESH (192*1024)

Next, if the ‘this_host->ipqueue’ that describes an entry in the “incomplete datagrams” queue is NULL, it will immediately call panic(). Otherwise, it will invoke ip_free() on this queue entry. However, ‘this_host’ pointer which keeps the fragments for this host might be NULL and thus, each access to the ‘ip_frag_mem’ integer will lead to a NULL pointer dereference which could later result in exploitable situations at ip_free() function. This was patched like this: